Introduction

One of the most popular extensions to the Apache webserver has been mod_rewrite - a filter which rewrites URLs. For example, instead of a URL such as

http://www.apache.org/BookDetails.pl?id=5

you could provide a filter which accepts URLs such as

http://www.apache.org/Book/5.html

and it will silently perform a server-side redirect to the first URL. In this way, the real URL could be hidden, providing an obfuscated facade to the web page. The benefits are easier to remember URLs and increasing the difficulty of hacking a website.

Mod_rewrite became very popular and grew to encompass a couple of other features not related to URL Rewriting, such as caching. This article demonstrates URL Rewriting with ASP.NET, whereby the requested URL is matched based on a regular expression and the URL mappings are stored in the standard ASP.NET web.config configuration file. ASP.NET includes great caching facilities, so there's no need to duplicate mod_rewrite's caching functionality.

As more and more websites are being rewritten with ASP.NET, the old sites which had been indexed by google and linked from other sites are lost, inevitably culminating in the dreaded 404 error. I will show how legacy ASP sites can be upgraded to ASP.NET, while maintaining links from search engines.

ASP.NET support for URL Rewriting

ASP.NET provides very limited support out of the box. In fact, it's support is down to a single method:

void HttpContext.RewritePath(string path)

which should be called during the Application_BeginRequest() event in the Global.asax file. This is fine as long as the number of URLs to rewrite is a small, finite, managable number. However most ASP sites are in some way dynamic, passing parameters in the Query String, so we require a much more configurable approach.

The storage location for all ASP.NET Configuration information is the web.config file, so we'd really like to specify the rewrites in there. Additionally, .Net has a fast regular expression processor, giving free and fast search and replace of URLs. Let's define a section in the web.config file which specifies those rewrites:

Notice how we have to escape the period in the url element such as 'show\.asp'. This is a Regular Expression escape and it's a small price to pay for the flexibility of regular expressions. These also show how we set-up a capturing expression using (.*) in the <url> element and refer to that capture in the <rewrite> element with $1

Configuration Section Handlers

.Net's configuration mechanism requires us to write code as a "handler" for this section. Here's the code for that:

This section handler specifies that for every section called "urlrewrites", there is a class called ThunderMain.URLRewriter.Rewriter which can be found in the ThunderMain.URLRewriter.dll assembly with the given public key token. The public key token is required because this assembly has to be placed into the GAC and therefore given a strong name.

A section handler is defined as a class which implements the IConfigurationSectionHandler interface. This has one method, Create(), which should be implemented, and in our code that is very simple. It merely stores the urlrewrites element for later use:

which calls the static method Process() on the Rewriter class. Process() first obtains a reference to the configuration section handler (which happens to be an instance of the current class) and then delegates most of the work to GetSubstitution() - an instance method of this class.

Installing the sample code

Extract the code into a URLRewriter folder, then turn this into a virtual directory using the Internet Information Services MMC control panel applet. Compile the code use the 'Make Rewriter.bat' batch script into the bin sub-folder. Then add bin/ThunderMain.URLRewriter.dll to the Global Assembly Cache by copying and pasting the dll into %WINDIR%\assembly using Windows Explorer. Finally, navigate to http://localhost/URLRewriter/default.aspx and try the demo URLs listed.

None will actually work because there's one last thing we have to be aware of...

Finally

There's one major caveat with all this. If you want to process a request with a file extension other than .aspx such as .asp or .html, then you need to change IIS to pass all requests through to the ASP.NET ISAPI extension. Unfortunately, you will need physical access to the server to perform this, which prevents you from simply XCOPY deploying your code to an ISP.

We've added the HEAD, GET and POST verbs to all files with .* file extension (ie all files) and mapped those to the ASP.NET ISAPI extension - aspnet_isapi.dll.

Share

About the Author

Richard Birkby is a software engineer from London, UK, specializing in .Net. Richard has coded for many different sized companies from small venture-capital funded start-ups, to multi-national corporations (ie Microsoft). When he's not programming, he enjoys driving his sports car or eating curry (although never at the same time!).

Richard helps run CurryPages.com and has several other covert ventures in development. Stay tuned!

Comments and Discussions

website working once its load but after rfresh it showing 500-internal server error. when i remove url rewrite module from .config file no error showing. below is my web.config code

<?xml version="1.0" encoding="UTF-8"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration>
<connectionStrings />
<system.web>
<httpHandlers>
<add verb="*" path="LanapCaptcha.aspx" type="Lanap.BotDetect.CaptchaHandler, Lanap.BotDetect" />
</httpHandlers>
<!--
Set compilation debug="true" to insert debugging
symbols into the compiled page. Because this
affects performance, set this value to true only
during development.
-->
<compilationdebug="true"><assemblies><addassembly="System.Design, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/><addassembly="System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/></assemblies></compilation>
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<authenticationmode="Windows"/>
<!--
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace.
<customErrorsmode="RemoteOnly"defaultRedirect="GenericErrorPage.htm"><errorstatusCode="403"redirect="NoAccess.htm"/><errorstatusCode="404"redirect="FileNotFound.htm"/></customErrors>
-->
</system.web><appSettings><addkey="cString"value="data source=P2390918\SQLEXPRESS;initial catalog=tppAD;uid=tpp;pwd=tpp;persist security info=False;packet size=4096"/></appSettings><system.webServer><validationvalidateIntegratedModeConfiguration="false"/><defaultDocument><files><clear/><addvalue="default.aspx"/><addvalue="Default.htm"/><addvalue="Default.asp"/><addvalue="index.htm"/><addvalue="index.html"/><addvalue="iisstart.htm"/></files></defaultDocument><rewrite><outboundRules><rulename="OutboundRewriteUserFriendlyURL1"preCondition="ResponseIsHtml1"><matchfilterByTags="A, Form, Img"pattern="^(.*)in_bdir_dedd\.aspx$"/><actiontype="Rewrite"value="{R:1}/ in_bdir_dedd"/></rule><rulename="OutboundRewriteUserFriendlyURL2"preCondition="ResponseIsHtml1"><matchfilterByTags="A, Form, Img"pattern="^(.*)dubaiairports\.aspx$"/><actiontype="Rewrite"value="{R:1}/ dubaiairports"/></rule><preConditions><preConditionname="ResponseIsHtml1"><addinput="{RESPONSE_CONTENT_TYPE}"pattern="^text/html"/></preCondition></preConditions></outboundRules><rules><rulename="RedirectUserFriendlyURL1"stopProcessing="true"><matchurl="^in_bdir_dedd\.aspx$"/><conditions><addinput="{REQUEST_METHOD}"pattern="^POST$"negate="true"/></conditions><actiontype="Redirect"url="in_bdir_dedd"appendQueryString="false"/></rule><rulename="RewriteUserFriendlyURL1"stopProcessing="true"><matchurl="^in_bdir_dedd$"/><conditions><addinput="{REQUEST_FILENAME}"matchType="IsFile"negate="true"/><addinput="{REQUEST_FILENAME}"matchType="IsDirectory"negate="true"/></conditions><actiontype="Rewrite"url="in_bdir_dedd.aspx"/></rule><rulename="RedirectUserFriendlyURL2"stopProcessing="true"><matchurl="^dubaiairports\.aspx$"/><conditions><addinput="{REQUEST_METHOD}"pattern="^POST$"negate="true"/></conditions><actiontype="Redirect"url="dubaiairports"appendQueryString="false"/></rule><rulename="RewriteUserFriendlyURL2"stopProcessing="true"><matchurl="^dubaiairports$"/><conditions><addinput="{REQUEST_FILENAME}"matchType="IsFile"negate="true"/><addinput="{REQUEST_FILENAME}"matchType="IsDirectory"negate="true"/></conditions><actiontype="Rewrite"url="dubaiairports.aspx"/></rule></rules></rewrite></system.webServer></configuration>

What is URL REDIRECTION?How can i use this concept in my .net?my task is i have generated one url like this "http://example.com/"I am passing one pearameter like "http://example.com/Empno=1"I want to display Ename in Database table that corresponding "Empno"plz Help me Give me one simple example

I am new this conceptsplz Help me send source code to my mailID:mandla.anilbabu@gmail.com

ive been using this for a long time and it works well - i wonder how i can use this for non duplicate default documents for SEO purposes ?? can i in some way rewrite - www.test.com/index.aspx to www.test.com. basically i want google not to index www.test.com/index.aspx & www.test.com as duplicate content.

I used this dll and its very much usefull for me, everything works fine in my local machine, when i uploaded on shared hosting it gives trust level error as it requires full trust level and i cant get full trust level on shared hosting. So dou have any idea?

The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.

i have create urlrewite it works fine on local but gives error on-line at global.asax "trust permission" error for web.config. i am using asp.net 2.0. I contact my hosting provider for this issue but they tell "As you are using ASP.NET 2.0 or above on the hosting account you only get medium trust."

I have the url like www.domain.com/administrator/login.aspx and www.domain.com/EndUsers/login.aspx. If the url contains "administrator",the url will be www.Admin.domain.com/administrator/login.aspx
How do I append the "Admin" text in the Url.

i download your project its working fine when i open on asp.net2.0 IED all dll class etc etc pages for url rewriting is working fine
BUt when this same Project i open through my local IIS it not work. always show page not found. i already done the IIS conflagrations.

I already done this on your

Finally

There's one major caveat with all this. If you want to process a request with a file extension other than .aspx such as .asp or .html, then you need to change IIS to pass all requests through to the ASP.NET ISAPI extension. Unfortunately, you will need physical access to the server to perform this, which prevents you from simply XCOPY deploying your code to an ISP.

but still it not work please help me how can i run you proj on IIS 5.0

I have using FCKeditor.Plone 2.2 iwht our Asp.net Web Application. i set ImageBrowserURL property as our server path like-"http://www.abc.com/Images/", but when i click on browse server button in image property then error is- "Directory Listing Denied" and "This Virtual Directory does not allow contents to be listed." . when i upload image through fck uploader then new folder created in root of application as UserFolder/Images. i want to set uploader server path as our directory like-"http://www.abc.com/Images/" but no way i found.

In My web Application i have used Url Rewriting. when i come from one to another page through url Rewriting. second page contains Asp.net button for some user input. when user Click on this button. Virtual path of page has lost and new url show on url bar like.

In My web Application i have used Url Rewriting. when i come from one to another page through url Rewriting. second page contains Asp.net button for some user input. when user Click on this button. Virtual path of page has lost and new url show on url bar like.

Hello
I just installed ThunderMain UrlRewrite and it is working perfect.
i needed it to provide simple url for my customers at sellyourhome.ca
so if someone has a listing ID=70 then his url is
www.sellyourhome.ca/70 which maps to www.sellyourhome.ca/propertyview.aspx?listingid=70

I am new for Url rewrite. A have a questions. The links from extranet
are something like this
Apartments.aspx?State=MA&City=Boston. However, user must see
something on browsers URL
Apartments/MA/Boston.aspx . Essentially just change browser URL, but
I can change the page name it self .

Thanks for you code BTW we use it a lot. Watchfire came across one of our sites that had an XSS issue even with [pages validateRequest="true"]

it seems that by tacking on to the end of a url something like </script><script>alert(82258)</script> to the tail end of an HTML request that the security validator will not pick it up once you have called .RewritePath() with the new URL (only if your rewrite rule does not handle the the extra data)

The problem is that in the Request context that Request.RawUrl still contains the full path for your original virtualized Request and it never gets validated even if your happened to strip off some parameters.

take for instance /urlrewriter/(.*)show.aspx?test=</script><script>alert(82258)</script> with a rewrite of /urlrewriter/show.aspx?id=$1

now if your ASPX code happens to make use of Request.RawUrl the malign JavaScript is still there in it and if you reflect it back into to your webpage, say into a href link you would now have a XSS security problem on your hands.

ASP.Net events should be validating on the start against the GET data but it appears not to do so until after the call to .RewritePath() which is very bad on Microsoft part I suppose.

I would hate to say that all parts of the URL should be accounted for but all the rewrite rules should be more like url pattern of /(.*)/file.aspx?(.*) first and have a rewrite rule to take care of the parameters after the ? mark like /file.aspx?id=$1&$2 for safety's sake and to keep the validateRequest firing.

Better yet all developers should use the Anti-XSS library from Microsoft with reflecting any content that might be able to be compromized.

Thanks. That's a sensible solution for dealing with vroot versus webserver root deployed sites and as you say supports the ability to anchor the start of the regular expression to the website deployment location rather than the root of the webserver.

- How are you do to generate the keyfile.snk file ?
- We have also a ThunderMain.URLRewriter.dll on the bin directory, how are you do to genarate this assemby and where is the code that generate the assemby?

Brief, if it is possible to show us step by step the way you generate assembies and use them, your article will be very help for beginners !!

while i am writing this code in web config:<url>param\.aspx</url> <rewrite>UserDetail.aspx?UserID=$0</rewrite>It rewrite following :UserDetail.aspx?UserID=$param.aspx instead of writting UserDetail.aspx?UserID=value of current UserID pls help